Network Working Group P. Chown
Request for Comments: 3268 Skygate Technology
Category: Standards Track June 2002
Advanced Encryption Standard (AES) Ciphersuites for Transport Layer
Security (TLS)
Status of this Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2002). All Rights Reserved.
Abstract
This document proposes several new ciphersuites. At present, the
symmetric ciphers supported by Transport Layer Security (TLS) are
RC2, RC4, International Data Encryption Algorithm (IDEA), Data
Encryption Standard (DES), and triple DES. The protocol would be
enhanced by the addition of Advanced Encryption Standard (AES)
ciphersuites.
Overview
At present, the symmetric ciphers supported by TLS are RC2, RC4,
IDEA, DES, and triple DES. The protocol would be enhanced by the
addition of AES [AES] ciphersuites, for the following reasons:
1. RC2, RC4, and IDEA are all subject to intellectual property
claims. RSA Security Inc. has trademark rights in the names RC2
and RC4, and claims that the RC4 algorithm itself is a trade
secret. Ascom Systec Ltd. owns a patent on the IDEA algorithm.
2. Triple DES is much less efficient than more modern ciphers.
3. Now that the AES process is completed there will be commercial
pressure to use the selected cipher. The AES is efficient and has
withstood extensive cryptanalytic efforts. The AES is therefore a
desirable choice.
Chown Standards Track [Page 1]RFC 3268 AES Ciphersuites for TLS June 2002
4. Currently the DHE ciphersuites only allow triple DES (along with
some "export" variants which do not use a satisfactory key
length). At the same time the DHE ciphersuites are the only ones
to offer forward secrecy.
This document proposes several new ciphersuites, with the aim of
overcoming these problems.
Cipher Usage
The new ciphersuites proposed here are very similar to the following,
defined in [TLS]:
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA
TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
All the ciphersuites described here use the AES in cipher block
chaining (CBC) mode. Furthermore, they use SHA-1 [SHA-1] in an HMAC
construction as described in section 5 of [TLS]. (Although the TLS
ciphersuite names include the text "SHA", this actually refers to the
modified SHA-1 version of the algorithm.)
The ciphersuites differ in the type of certificate and key exchange
method. The ciphersuites defined here use the following options for
this part of the protocol:
CipherSuite Certificate type (if applicable)
and key exchange algorithm
TLS_RSA_WITH_AES_128_CBC_SHA RSA
TLS_DH_DSS_WITH_AES_128_CBC_SHA DH_DSS
TLS_DH_RSA_WITH_AES_128_CBC_SHA DH_RSA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA DHE_DSS
TLS_DHE_RSA_WITH_AES_128_CBC_SHA DHE_RSA
TLS_DH_anon_WITH_AES_128_CBC_SHA DH_anon
TLS_RSA_WITH_AES_256_CBC_SHA RSA
TLS_DH_DSS_WITH_AES_256_CBC_SHA DH_DSS
TLS_DH_RSA_WITH_AES_256_CBC_SHA DH_RSA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA DHE_DSS
TLS_DHE_RSA_WITH_AES_256_CBC_SHA DHE_RSA
TLS_DH_anon_WITH_AES_256_CBC_SHA DH_anon
Chown Standards Track [Page 2]RFC 3268 AES Ciphersuites for TLS June 2002
For the meanings of the terms RSA, DH_DSS, DH_RSA, DHE_DSS, DHE_RSA
and DH_anon, please refer to sections 7.4.2 and 7.4.3 of [TLS].
The AES supports key lengths of 128, 192 and 256 bits. However, this
document only defines ciphersuites for 128- and 256-bit keys. This
is to avoid unnecessary proliferation of ciphersuites. Rijndael
actually allows for 192- and 256-bit block sizes as well as the 128-
bit blocks mandated by the AES process. The ciphersuites defined
here all use 128-bit blocks.
The new ciphersuites will have the following definitions:
CipherSuite TLS_RSA_WITH_AES_128_CBC_SHA = { 0x00, 0x2F };
CipherSuite TLS_DH_DSS_WITH_AES_128_CBC_SHA = { 0x00, 0x30 };
CipherSuite TLS_DH_RSA_WITH_AES_128_CBC_SHA = { 0x00, 0x31 };
CipherSuite TLS_DHE_DSS_WITH_AES_128_CBC_SHA = { 0x00, 0x32 };
CipherSuite TLS_DHE_RSA_WITH_AES_128_CBC_SHA = { 0x00, 0x33 };